Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Filter on IPsec tunnel content

Hello,

I have a (possibly) unusual question: I would like to establish an IPsec tunnel (on a PIX), with a certain policy (e.g. tunnel all traffic from 10.1.0.0 to 10.2.0.0). However, no everything from one net to the other is allowed.

Is there a way to make the unencrypted traffic pass through an access-list? I was under the impression that "no sysopt connection permit-ipsec" would work, but either it does not, or I do not know what access-list to use...

Any comment would be appreciated....

Best regards,

gi

5 REPLIES
New Member

Re: Filter on IPsec tunnel content

"no sysopt connection permit-ipsec" is the default mode for this sysopt, and is necessary to keep it at "no" if you would like to apply an acl to the ingress interface.

As far as the acl to use, that's something you'll have to construct based on what you would like to permit or deny.

HTH,

Mike

New Member

Re: Filter on IPsec tunnel content

Hello Mike,

I do have an acl on the ingress interface, but it does not show any matches on my traffic (which passes).

Besided I'm wondering if that is possible at all: the acl on the outside interface is already passed by the encapsulated traffic. So when the IPsec part is removed, is the traffic supposed to go through the same acl again???

If yes, then something is probably wrong with my config. If no, where could it then be filtered?

Gilles

New Member

Re: Filter on IPsec tunnel content

It could be your config. If you post the relivant parts, we can have a look.

Mike

New Member

Re: Filter on IPsec tunnel content

Hello Mike,

I must apologize: it actually was my config. The packets were allowed by an earlier rule than the one I was watching, and so I missed the point.

I'm glad though that it is now clear to me that one packet goes twice through the same acl... it is useful but it "feels" weird.

Regards,

Gilles

New Member

Re: Filter on IPsec tunnel content

Ok, well, good to hear the issue is resolved.

Mike

226
Views
0
Helpful
5
Replies
CreatePlease to create content